From cbb041f06e2edc8a074d25fde9b948c95cda3621 Mon Sep 17 00:00:00 2001 From: Ivan Date: Wed, 22 Apr 2026 13:23:22 -0500 Subject: [PATCH] chore(ci): remove verify-release-attestation.sh script and update attest-release-assets.sh to exclude .cosign.bundle files --- scripts/ci/attest-release-assets.sh | 2 +- scripts/ci/verify-release-attestation.sh | 21 --------------------- 2 files changed, 1 insertion(+), 22 deletions(-) delete mode 100755 scripts/ci/verify-release-attestation.sh diff --git a/scripts/ci/attest-release-assets.sh b/scripts/ci/attest-release-assets.sh index 3a75947..7d63fca 100755 --- a/scripts/ci/attest-release-assets.sh +++ b/scripts/ci/attest-release-assets.sh @@ -19,7 +19,7 @@ trap 'rm -f "$PRED"' EXIT INT python3 scripts/ci/slsa-predicate.py > "$PRED" -find "$DIR" -type f ! -name '*.sha256' ! -name '*.cosign.bundle' | while IFS= read -r f; do +find "$DIR" -type f ! -name '*.cosign.bundle' | while IFS= read -r f; do case "$f" in */.git/*) continue ;; esac diff --git a/scripts/ci/verify-release-attestation.sh b/scripts/ci/verify-release-attestation.sh deleted file mode 100755 index d7f9388..0000000 --- a/scripts/ci/verify-release-attestation.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# Verify a cosign SLSA bundle for a release binary using the repository public key. -# Checks Sigstore Rekor (public log) unless COSIGN_REKOR_URL points elsewhere. -# Usage: verify-release-attestation.sh -# Env: COSIGN_PUBLIC_KEY (default cosign.pub) -set -eu - -BLOB="${1:?blob path}" -BUNDLE="${2:?bundle path}" -PUB="${COSIGN_PUBLIC_KEY:-cosign.pub}" - -if [ ! -f "$PUB" ]; then - echo "Missing $PUB (generate a key pair with cosign and commit the .pub file)" >&2 - exit 1 -fi - -exec cosign verify-blob-attestation \ - --key "$PUB" \ - --bundle "$BUNDLE" \ - --type slsaprovenance1 \ - "$BLOB"